CVE-2026-4113

High

Published: 09 April 2026

Published

09 April 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4113 is a high-severity Observable Response Discrepancy (CWE-204) vulnerability in Sonicwall (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Discovery (T1087); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-6 (Authentication Feedback) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Account Discovery (T1087). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires applying vendor patches to directly eliminate the response discrepancy vulnerability in the SSL VPN component.

IA-6 Authentication Feedback good match

prevent

Authentication feedback obscures responses during credential validation to prevent enumeration via observable discrepancies.

SI-11 Error Handling good match

prevent

Error handling ensures server responses do not reveal exploitable differences that enable SSL VPN credential enumeration.

MITRE ATT&CK Enterprise TechniquesAI

T1087 Account Discovery Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables enumeration of valid SSL VPN user credentials (usernames and potentially passwords) via observable response discrepancies, mapping to account discovery on the target system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An observable response discrepancy vulnerability in the SonicWall SMA1000 series appliances allows a remote attacker to enumerate SSL VPN user credentials.

Deeper analysisAI

CVE-2026-4113 is an observable response discrepancy vulnerability, classified under CWE-204, affecting the SonicWall SMA1000 series appliances. It enables a remote attacker to enumerate SSL VPN user credentials by exploiting differences in server responses. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and significant impacts on confidentiality, integrity, and availability.

Exploitation requires high privileges (PR:H), meaning an attacker must already possess an authenticated account with elevated access on the appliance, such as an administrator. From a network-accessible position, the attacker can send crafted requests to the SSL VPN component, observing response discrepancies to infer valid usernames and potentially passwords or other credentials. Successful enumeration could lead to full compromise of VPN access, enabling further lateral movement or data exfiltration.

SonicWall has documented the issue in their PSIRT advisory at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003, published on 2026-04-09, which provides further details on affected versions and recommended mitigations. Security practitioners should consult this advisory for patching instructions and workarounds to address the vulnerability.

Details

CWE(s): CWE-204

Affected Products

Sonicwall

—

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-23193Shared CWE-204

CVE-2025-12455Shared CWE-204

CVE-2026-33419Shared CWE-204

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0003
PSIRT@sonicwall.com